Workshop Functional Safety

Transcription

1 Workshop Functional Safety Nieuwegein 12 March 2014 Workshop Functional Safety VDMA 4315 Part 1 page 1

2 Agenda VDMA Working Group on Functional Safety Functional Safety and Safety Lifecycle Functional Safety Basic Terms Quantitative Risk Analysis Low Demand Case Risk Equation Risk Assessment Assumptions and Factors Basic Questions, Tolerable Risk Limits, Severity of Harm, Occupancy Definition Type of Risk SIL Assignment Tools & Methods page 2

3 VDMA Working Group Motivation - Introduction of new Standards for Functional Safety IEC 61508, IEC61511, IEC62061, ISO13849 Common Key Avoidance of Systematic Failures Features Probabilistic Approach Finding 2007 None of the standards is completely applicable None of them is applicable without interpretation Concern - Functional Safety: Issue for Project Execution Compliance Documentation for Handover and Permitting Risk of conflicts in understanding, late changes, delays, costs Target Synthesis of the relevant standards with respect to Specification of Safety Integrity Requirements VDMA Specification 4315, part 1 Relevant safety functions with typical safety integrity requirements for different types of engines VDMA Specification 4315, other parts page 3

4 VDMA Working Group Active since 2007 Participating OEMs and Products under Consideration Alstom Power Steam turbines and gas turbines for power generation, industrial steam turbines and turbogenerators Atlas Copco Energas Compressors MAN Diesel & Turbo Compressors and steam turbines and gas turbines for power generation and industrial applications Siemens Energy Sector Steam turbines and gas turbines for power generation and industrial applications, turbogenerators and compressors VGB PowerTech European association of operating companies of power stations and heating plants Current Publication: VDMA Specification Series 4315 page 4

5 VDMA Working Group VDMA-Specification Series 4315 Structure and Status Part No. Title Status Part 1 Methods for determination of the necessary risk German: published reduction English: published Part 2 Functional safety in existing installations In preparation Part 3 spare not applicable Part 4 spare not applicable Part 5 Risk assessment steam turbines German: published English: published Part 6 Risk assessment gas turbines German: published English: in preparation Part 7 Risk assessment compressor train German: published English: published Part 8 Risk assessment hydrogen cooled generators with water cooled stator windings In final preparation For actual status and ordering information see 9tZSZsYW5ndWFnZWlkPWRl.html page 5

6 What is Functional Safety Functional Safety: Engineering of Safety Functions Instrumented Control System Functions In the process industry typically not required for normal operation of the machines React on dangerous process situations Restoration of a Safe State mostly by an emergency shut-down (trip) Examples for turbomachines: Overspeed protection function all turbines Flame supervision function gas turbines see figure Central control & protection system Process control logic Safety logic page 6

7 What is Functional Safety Machinery Directive 2006/42/EC, ANNEX I, Essential health and safety requirements GENERAL PRINCIPLES: The manufacturer of machinery must ensure that a risk assessment is carried out Principles of safety integration: Machinery must be designed and constructed so that it does not put people at risk and to this end... the manufacturer must apply the following principles, in the order given: eliminate or reduce risks as far as possible (inherently safe machinery design and construction), take the necessary protective measures in relation to risks that cannot be eliminated, inform users of the residual risks due to any shortcomings of the protective measures adopted, indicate whether any particular training is required and specify any need to provide personal protective equipment. Legal Basis for Functional Safety page 7

8 Functional Safety Lifecycle Nr. Step in the safety lifecycle Corresponding clauses in the standards 1. Risk assessment ISO 12100, 3.17: Overall process comprising a hazard analysis and a risk evaluation IEC 61511; step 1: hazard and hazard analysis (IEC , figure 8) 1.1 Specification of the scope of the analysis 1.2 Hazard analysis Identification of hazards 1.3 Risk estimation ISO 12100, 3.15: Combination of the specification of the limits of the machine, hazard identification and risk estimation ISO 12100, 5.3: Specification of the limits of the machine IEC 61508: step 2: specification of the overall scope ISO 12100, 5.4: Identification of hazards IEC 61508: step 3: hazard and hazard analysis, ISO 12100, 3.14: Definition of the likely severity of harm and probability of its occurrence ISO 12100, 5.5: Risk estimation 1.4 Risk evaluation ISO 12100, 3.16: judgement, on the basis of hazard analysis, of whether the risk reduction objectives have been achieved 2. Allocation of safety integrity requirement Identification of safety measures, in particular of safety functions Allocation of safety integrity requirement to safety functions IEC 61511; step 2: allocation of safety requirements 3 Allocation of safety integrity requirement to safety functions 3.1 Safety integrity requirement IEC 61511: step 3: safety requirements specification 3.2 Functional requirements page 8

9 Functional Safety Lifecycle Nr. Step in the safety lifecycle Corresponding clauses in the standards 4. Design of the safety function IEC 61511: step 4: design and realisation 5. Construction and installation of the safety function IEC 61508: step 5: installation and commissioning Verification of the satisfaction of the safety requirements prior to commencing commercial operation of the protected equipment Operation and maintenance of the safety circuit during the operation of the protected equipment IEC 61511: Included in step 5: validation (IEC 61508: step 13: safety validation) IEC 61511: step 6: operation and maintenance 8. Modification of the safety circuit IEC 61511: step 7: modification: 9. Decommissioning of the safety circuit IEC 61511: step 8: decommissioning page 9

10 Functional Safety Lifecycle Simplified Representation in Main Phases pre-specification post-specification Hazard Ident. Risk Analysis Specification of Safety Functions Design of Safety Functions Implementation & Testing of Safety Functions Transition document: Safety Requirement Specification Functional Requirements: What shall be done when & how fast Conditions for triggering a safety system actions ( process parameters, logics) Required system reaction ( triggering of process actuators) Required Safety Integrity Safety Integrity: Degree of immunity of a function against failures Current Subject: Specification of required safety integrity page 10

11 Functional Safety Basic Terms From Risk Assessment to Safety Requirement Specification Process Hazard Accident Scenario 1 Accident Scenario n Accident Scenario 2 Functional Requirements Safety Function Risk page 11

12 Functional Safety Basic Terms Process Hazard A harmful effect - penetrating the process enclosure process gasses (steam, hot gas, combustion gas or others),particles, shock waves, fire, high pressure jets of liquids Caused by a specific type of malfunction Potentially causing harm to people (or damage to equipment) Accident Scenario Description of an accident as narrative with the initial conditions, the chronological sequence of events, the causal relationships and the final outcome Risk Measure for the hazardous nature of a scenario or event: How dangerous is it? Combination of the severity of the harm and the rate of occurrence that is connected with the scenario or event page 12

13 Functional Safety Basic Terms Rate of Occurrence of an Event Qualitatively described as «frequently», «occasionally», «seldom» or «never» Quantified in «events per time» or «average time between events» For accidents of turbomachinery causing harm to people Theoretically anticipated from a risk analysis Cannot be derived from actual accident statistics An event rate be attached to a defined event only Reference Event Formalized Description of an Accident Scenario Which equipment unit or equipment scope is causing the accident? To which specific process hazard is the accident related? Who is suffering harm? (What is suffering damage?) Which kind of harm (or damage) is suffered, on which level of severity? page 13

14 Functional Safety Basic Terms Safety Integrity is a property of a specific Function Degree of confidence, that the function will work as designed within given boundary conditions Safety Integrity Level SIL: Indicator for Safety Integrity in discrete Levels: SIL1, SIL2, SIL3, SIL4 Low demand mode: SIL Decades of Risk Reduction Factor RRF High demand mode: SIL Decades of Dangerous Failure Rate PFH D Safety Integrity is established by different measures as requirement to a function Required risk reduction Safety Requirement Specification Functional features Safety Integrity... as property of a function Measures against systematic failures System architecture (e.g. redundancy) Calculated risk reduction (reliability) page 14

15 Quantitative Risk Analysis Specification of a Required Safety Integrity Subject A: Process Hazard Reference Event Process Risk Risk is treated as emission of machine & process Tolerable Risk: Maximum allowable risk emission Subject B: Safety Function Attenuation factor for the risk emission Residual Risk Required Risk Reduction Required Safety Integrity increasing risk Process Risk Emission assuming the safety function absent Tolerable Risk Required Risk Reduction Safety Integrity of a safety function Actual Risk Reduction Residual Risk Reference level page 15

16 Quantitative Risk Analysis... but treat it correctly, nevertheless! potential accidents - demands actual accident Risk w/o Safety Function Unmitigated accident rate Safety Function Residual risk Mitigated accident rate page 16

17 Quantitative Risk Analysis Safety Function Unreliability as a function of time PFH D = / h; TI = 3y probability of failure PFD PFD avg = 1/2 PFH D TI Safety Function - PFD(t) - NOT tested Safety Function - PFD(t) Safety Function - tested, PFD average calendar time / years page 17

18 Quantitative Risk Analysis Safety Functions as Attenuation Function for Accident Rates Process Risk Unmitigated accident rate: Rate of a reference event, under the assumption, that a safety function is not installed Remnant Risk Mitigated accident rate: Rate of the same reference event, under the assumption, that a safety function is installed 1 Mitigated Accident. Rate Demand Rate = 2 * Test Rate model calculation risk reduction approximation risk limiting approximation Unmitigated Accident Rate in Events per Year At low rates: Safety function works as risk reducer Low demand mode At high rates: Safety function works as risk limiter High demand mode page 18

19 Low-Demand Case - Basic Equations Typical for Safety Functions of Turbomachines: Low Demand The Risk Reduction Equation Protection Function as risk reducer RRF = U / L RRF: Required Risk Reduction factor quantifies required safety integrity U: Unmitigated accident rate process demand L: Tolerable Risk The General Risk Equation Common parameters of risk analyses of turbomachines Quantification of unmitigated accident rate U = W x F x A x V U: Unmitigated accident rate W: Rate of occurrence of the hazardous situation (emergence of a process hazard F: Occupancy parameter: Likelihood for the process hazard to meet people A: Avoidability parameter or unavoidability V: Vulnerablility page 19

20 Risk Assessment - Assumptions Basic Questions Four Factors Quantifying the Risk Emission of Turbomachines What needs to happen to a person to suffer harm? How frequently will a harmful effect break out of the containment and penetrate into an area, which can be occupied? How likely will somebody meet the harmful effect? How likely will this somebody avert the danger by herself/himself? Not at all, for example, if the accident develops too fast to allow any action. How likely does the exposed person get away without suffering the reference harm?... or has bad luck, finally. Dangerous event rate W Occupancy parameter F Unavoidability A Vulnerability V page 20

21 Tolerable Risk Limits Tolerable Risk Limit: Maximum allowable risk emission assigned to an equipment unit or equipment scope a process hazard ( a safety function ) a single person or a collective of people suffering harm? the level of severity of the harm (injury, casualty) Parameter in a Quality Assurance Procedure expression of a state of the art as reflected by methods for risk analysis / SIL assignment without direct relation to actual accident rates (for turbomachines) Established Numerical Level Event based risk, work accident with 1 to 10 fatalities: 1*10-4 per year Individual risk, fatal work accident: 1*10-5 per year Staggered in decadic steps for other damage categories page 21

22 VDMA Power Systems Risk Assessment - Assumptions Severity of Harm Which Severity to be assumed for a Process Hazard There are many different scenarios with many levels of severity For each possible Reference Event a separate analysis could be made Frequent convention: Most severe harm that can reasonably be assumed representative for general Risk Level Event Rate Range of realistic reference events with similarly high risk Most severe harm that can reasonably be assumed Severity of Harm page 22

23 Risk Assessment - Assumptions Occupancy Group Hazard- Zone Inspectors (1 to 2 persons) Maintenance personnel (up to 3 persons)) General site personnel Overhaul personnel 20 to 70 persons only in plants with several units Visitor groups typically 20 persons Directly at the machine 1% or less at a specific hazard location 1a 1b Not allowed Enclosure Machine Machine building / Extended installation zone Not allowed (with machine in operation or machine ready to start) Site 2% 30% Rest of the time Less than 10% Less than 10% (up to 3 persons) 30% (only 1 shift per day) 100% (always, 5 to 10 persons, depending on time of day and size of plant) 5% Not relevant 1% (up to 2*1h per week) Plus around the same time as in the machine building Exterior Not relevant General population Not allowed 100% page 23

24 Risk Assessment - Assumptions Occupancy Group Hazard- Zone Directly at the machine 1a 1b Enclosure Machine Machine building / Extended installation zone Site Exterior Summary - occupancy of the risk zones based on the number persons present at the same time 1-2 persons 3 to 10 persons Less than 1% to a few % 30% 10% Always (site employees)) Not allowed Many 6% 1% Always (people who are not staff) page 24

25 Definition Type of Risk Several Expressions of Risk for a given Hazard / given Harm Expected count of Events per Reference Time There are different definitions for events & time Most frequently used: Event Based Risk & Individual Risk page 25

26 Definition Type of Risk Event Based Risk Reference Event: Accident of a specific severity, defined by level of harm maximum number of affected people On a specific unit or plant Caused by a defined hazard or group of hazards Established preliminarily as a measure for risk in continental Europe Individual Risk Reference Event Accident with a specific level of harm Affecting a specific individual person On a specific unit or plant, by a defined hazard or group of hazards as above Individual risk does not account for Maximum number of people affected by a single accident Accidents to people, who are not most exposed Established as a measure for risk in the UK (by HSE) page 26

27 SIL Assignment Tools & Methods SIL Assignment Required Risk Reduction to a Function Available Tools & Methods Layer of Protection Analysis Full Fault Tree and/or Event Tree Analysis Risk Matrices Risk Graphs Each valid Tool or Method is an Expression of the Risk Equation RRF = U / L = W x F x A x V / L Equivalence of tools can be shown on this basis Each tool or method expressing the risk equation is valid The VDMA Risk Graph Selected as Tool for Presentation of Results Not obligatory for the user see above Valid for low demand cases page 27

28 SIL Assignment Tools & Methods LOPA, Format acc. IEC61511 page 28

29 SIL Assignment Tools & Methods LOPA, Customized Format Explosion protection for the propane gas cabinet MBQ30 - PR7.11 according HTCT scenario number & desciption Initial failure event rates in average occurence per year of engine operation Identification of concerned safety function Potential Consequences with Consequence Likelihoods Likelihood of the given consequence to result from the preceding event, assuming the preceding event as given. Risk mitigating factors Likelihood oof casualty events per mean time year of between engine events in operation years A Propane Ignition System: Gas leak with subsequent explosion or deflagration description of failure scenario rate of initial event Propane gas leak in system MBQ30 Failure of cabinet ventilation Failure of Alarms and Inspections Accumulation of propane and ignition Risk area coverage factor - "vulnerability" Person present in risk area E '410 Initial likelihood mitigated by commissioning erection checks. Later on, leaks may be generated preliminarily by improper connection of new bottles into the system. A bottle is supposed to entertain about 100 starts. Depending on the engine operation schedule, a bottle is exchanged a few times per year down to once in a few years. In the majority of cases this is done correctly. Ventilator MBQ33 AN001 to propane cabinet MBQ30. The dominating failure cause would be a failure of the motor. The failure rate of an AC squirrel cage motor is typically 5*10-6/h. A factor of 3 is applied to allow for other failures than those of the motor. Assuming a time to repair of 5 days, the likelihood of meeting the propane cabinet ventilation failed at any point of time is as given above. Differential pressure supervision MBW33 CP010 with Alarm. Alarm of motor control center MBQ33 AN001. Inspection and local indication of pressure MBQ30 CP002/CP003. There are no ignition sources inside the propane gas cabinet. Leakages to the outside of the cabinet will be small. They are diluted by diffusion and air turbulence with increasing distance from the cabinet. Therefore, the likelihood of a postulated propane leakage to meet an ignition source with a sufficient level of concentration is assessed significantly less than "certain". (It is acknowledged, that the auxiliary enclosure is not designed as explosion protection zone.) Risk Area: Auxiliary enclosure. Assumed to be included in "common GT& ST- Buildings", item 1. In occupancy plan 1AHA053291, section 8.1. Coverage factor "1" is conservative. required RRF Operator during walkaraound, per day 15 minutes in 1. "Common GT&ST"; to be multiplied by 2 for 2 units plus a margin of 33% in order to allow for additional maintenance supervision expected event rate of damage - cumulated tolerable event rate Total required SIL individual risk of casualty for the most exposed person, tolerable level in events per years of engine operation Required risk reduction factor Required SIL-Level 1.7E ' E none none page 29

30 SIL Assignment Tools & Methods Risk Matrix Energy Risk - Siemens page 30

31 SIL Assignment Tools & Methods The VDMA Risk Graph W3 >1 W2 [1; 0,1] W1 [0,1; 0,01] W0 [0,01; 0,001] W-1 [0,001; 0,0001] W-2 <= 0,0001 S1 Minor injury a S2 Serious irreversible injury F1 F2 <=10% >10% A V 1 A V 2 A V 1 <=10% >10% <=10% 1 a a S3 Fatalities one to max. 10 persons F1 F2 <=10% >10% A V 2 A V 1 >10% <=10% a S4 Fatalities F1 <=10% more than 10 persons F2 >10% A V 2 A V 1 A V 2 >10% <=10% >10% a --- b a page 31

32 SIL Assignment Tools & Methods Risk Graph Risk Graph: Graphical Representation of a Discretized Equation Equation: SIL = S + F + Av + W 6: Equivalent to risk equation Discretization: Accident related parameters discretized UP Required risk reduction discretized DOWN W F P a SIL1 SIL2 SIL3 For a given SIL-level, a risk graph can assume only the lowest risk reduction factor of the assigned interval. page 32

33 SIL Assignment Tools & Methods Risk Graph Extraction of a Tolerable Risk Limit from a Risk Graph W3 >1 W2 [1; 0,1] W1 [0,1; 0,01] W0 [0,01; 0,001] W-1 [0,001; 0,0001] W-2 <= 0,0001 S1 Minor injury a S2 Serious irreversible injury F1 F2 <=10% >10% A V 1 A V 2 A V 1 <=10% >10% <=10% 1 a a S3 Fatalities one to max. 10 persons F1 F2 <=10% >10% A V 2 A V 1 >10% <=10% a S4 Fatalities F1 <=10% more than 10 persons F2 >10% A V 2 A V 1 A V 2 >10% <=10% >10% a --- b a page 33

34 Summary Safety Integrity expresses the relation between Hazard Function Tolerable Risk Limit Each of these is a logically necessary. Assigning a Safety Integrity Requirement to a Safety Function Is NOT an exact science. Requires reasonable engineering judgement. Can comply with a clear and consistent logical concept, nevertheless. That concept is laid out in VDMA Best available state of the art page 34